Avatar of matedwards
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Group Policy when authenticating to Azure (365)

We have an on-prem domain syncing Users & Devices to our 365 (Azure) with AD Connect.
When an AD user authenticates against Azure (ie the login page has Access Work or School) the GPOs set on-prem do not apply to the User. Only Computer GPOs with Loopback Processing enabled apply.
The computer is still domain joined and the user exists on-prem and in Azure, so it's the same user account.
Can anyone explain what is happening? Or, how can I get them to apply?
Any help would be greatly appreciated.
Windows Server 2012* gp1Azure

Avatar of undefined
Last Comment

8/22/2022 - Mon
Jian An Lim

If it is domain joined or hybrid joined. GPO will take precedence over anything else.
there is nothing specific you need.

If it is windows 10, i will go down to hybrid join (configure your AADConnect correctly)

For SSO,
with hybrid joined (or cloud joined), you will have windows 10 SSO (PRT SSO)
if domain joined, you will need to use AADConnect SSO (and add the URL to intranet)

I don't think I want to mention anything about cloud joined until you are ready.


Thank you, Jian.

We do have AD-Connect configured so I assume we have a 'hybrid' set-up.
The laptop and the user are in on-prem Active Directory.
The computer GPO settings apply but User GPO settings do not. Unless we apply 'loopback processing' and then the User GPO settings on the laptop OU apply for all users on that device.
Why don't existing User GPO settings apply?
Jian An Lim

If your laptop is joined to an on-premises Domain, then GPO will apply.

If your GPO  apply to user GPO, then user GPO (and computer GPO) will work
if your GPO apply to laptop GPO, then computer GPO will apply. If you put loopback processing, the user GPO will also apply. this usually happens on Terminal servers that the user GPO is different than your normal user GPO.

Reference: https://techgenix.com/managing-terminal-services-group-policy

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

I shall make sure all User settings are explicitly set at the GPO where Loopback processing is enabled.